title: "Entra ID (Azure AD) <-> Amazon Cognito" direction: right classes: { user: { style.fill: "#F5F5F5" style.stroke: "#666666" style.font-color: "#24292F" } cdn: { style.fill: "#EDE7F6" style.stroke: "#8C4FFF" style.font-color: "#3E257A" } auth: { style.fill: "#FFEBEE" style.stroke: "#DD344C" style.font-color: "#7E1D2D" } compute: { style.fill: "#FFF2E8" style.stroke: "#ED7100" style.font-color: "#7A3B00" } database: { style.fill: "#F5E6F7" style.stroke: "#C925D1" style.font-color: "#6B1672" } azure: { style.fill: "#EAF1FB" style.stroke: "#0078D4" style.font-color: "#0F5BA8" } } subtitle: "SAML-Federation fuer die Capita Web-Tools · Shared Cognito Pool" { shape: text near: top-center style.font-size: 18 style.font-color: "#4A5568" } user: "Mitarbeiter\nUser / Browser" { class: user } aws: "AWS Cloud · eu-central-1" { style.fill: "#FFF6EE" style.stroke: "#E0A86B" style.font-color: "#B7651A" style.stroke-dash: 4 web: "Web-Tools\nApps Portal / CloudFront+S3" { class: cdn } cognito: "Amazon Cognito\nUser Pool · Broker/SP" { class: auth } lambda: "Pre-Token Lambda\nApp-Zugriff+Gruppen" { class: compute } dynamodb: "DynamoDB\napp-access · Gruppen" { class: database } } azure: "Microsoft Azure · Entra ID Tenant" { style.fill: "#EAF1FB" style.stroke: "#0078D4" style.font-color: "#0F5BA8" entra: "Microsoft Entra ID\nIdP · MFA · Cond. Access" { class: azure } mfa: "4 Anmeldung + MFA\nConditional Access" { style.fill: "#FFFFFF" style.stroke: "#0078D4" style.stroke-dash: 4 style.font-color: "#0F5BA8" } } user -> aws.web: "1 Aufruf (HTTPS)" { style.stroke: "#4A5568" } aws.web -> aws.cognito: "2 Login-Redirect · PKCE" { style.stroke: "#4A5568" } aws.cognito -> azure.entra: "3 SAML AuthnRequest" { style.stroke: "#0F6CBD" style.stroke-width: 2 } azure.entra -> aws.cognito: "5 SAML-Assertion\nemailaddress = UPN" { style.stroke: "#0F6CBD" style.stroke-width: 2 } aws.cognito -> aws.lambda: "6 Pre-Token-Trigger" { style.stroke: "#4A5568" } aws.lambda -> aws.dynamodb: "7 prueft Gruppen" { style.stroke: "#4A5568" } aws.cognito -> aws.web: "8 Token (JWT) -> eingeloggt" { style.stroke: "#1F7A52" style.stroke-width: 2 }